New Product

What’s the MVP of GDPR? What to do first, best, quickest

Minimum Viable Product or MVP is a new product or service technique to create sufficient features to satisfy customers. It may not be 100 percent perfect, but you do what’s most important. With the new personal privacy GDPR law for May 25th 2018, let’s adopt this approach for the purpose of this article. Why? Because MVP is great for focusing on putting what is important, practical, what works, and is legally required. I suggest this, for the opposite reasons some may suggest i.e. I may be trying to rush, or be lazy, or even cut corners. No. I think the alternative approach many are following of a slavish line by line, Bleak House style adherence to a frightening rule book, is confusing businesses. And in cases, they end up doing nothing, the worst possible scenario. What’s the MVP of GDPR? What to do first, best, quickest. I would suggest, as the ICO, suggests appoint someone for data compliance, follow the ICO 12 steps, especially focus on your lawful basis for processing and writing a privacy policy. That puts you in good shape. Let me just explain a few points.

Lawful Processing

The lawful basis for processing data is really your starting point. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

With existing customers, businesses often get confused. So, if you have customers, you will probably have a contract, hence you do not need to get consent to deal with them! Or you may have Legitimate Interest to hold peoples’s personal data. For marketing however you can deal with them on the basis of consent. Your prospects or the market you sell to for example a mailing list, you will need to obtain consent from. Any old data, get rid of if it, or get it updated. You can do this by email, letter or even orally. But you need proof, including a date.

Privacy Notices

The starting point of a privacy notice should be to tell people:

  • who you are;
  • what you are going to do with their information; and
  • who it will be shared with.

These are the basics upon which all privacy notices should be built. However, they can also tell people more than this and should do so where you think that not telling people will make your processing of that information unfair. A privacy notice in most cases is a website privacy notice, for an example visit the ICO Privacy Notice. But they may be required on various documents, online and paper such as for parking, ticketing, rent and so on.

Data Compliance Officer (DCO)

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer. The ICO website will tell you more. Your DCO needs to make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

Summary

What’s the MVP of GDPR? What to do first, best, quickest. I would suggest, as the ICO, suggests appoint someone for data compliance, follow the ICO 12 steps, especially focus on your lawful basis for processing and writing a privacy policy. That puts you in good shape. For a comprehensive list of what to do we’ve summarised it in this article.

Peter Eales BA Hons Chartered Marketer FCIM FIDM
Founder Director Dorset Business Angels
MD o i solutions limited

Posted in Blog.